[OpenID] Trust + Security @ OpenID
John Panzer
jpanzer at acm.org
Thu Jul 19 23:56:02 UTC 2007
Dmitry Shechtman wrote:
> Thank you for your comments, John.
>
>
>> In particular, if you see a 302 redirect on step (2) to an https:// URL,
>> ignore it (susceptible to man-in-the-middle attack).
>>
>
> So should we distrust identifiers that redirect via plain HTTP?
>
The attack vector: I poison your local DNS resolver, or proxy all
traffic, so that http://foo.blogspot.com actually resolves to
http://evil.org's IP. If you follow the 302 redirect, you could be
allowing evil.org to tell you what the "canonical" URL is. For example
it could do a 302 redirect over to https://evil.org which presents a
valid certificate and which can masquerade as the user's OP, capturing
their password. (For users who check URLs, it could be
https://my.open1d.org instead of https://evil.org.)
If you use https throughout, the DNS attack will fail because
https://foo.blogspot.com can't present a valid certificate for
foo.blogspot.com.
>
>
>> And the above applies both to an OpenID URL itself and any URLs that
>> resource delegates to via <link>.
>>
>
> I don't see why delegates should get any special treatment. In fact, it
> looks like the security add-on should be completely delegation-blind.
>
(Same argument as above for 302 redirects.) Note that this is a fairly
difficult attack but we are talking about security-conscious RPs here.
>
> Regards,
> Dmitry
> =damnian
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070719/e5e6ee3a/attachment-0002.htm>
More information about the general
mailing list